All posts
March 20, 20266 minAdoba Yua

Wazuh on macOS last month. Wazuh on Windows today.

Three weeks ago I rolled Wazuh out to 140 Macs. Last week someone said we need it on the five Windows servers in EMEA finance. Here is what transferred, what did not, and why starting from zero was not the right move.

Three weeks ago I rolled Wazuh out to our macOS fleet. 140 devices. Agent enrollment, ossec.conf tuning, FIM rules, Sysmon-for-Mac equivalent coverage, alert routing, all of it.

Last week someone said we need Wazuh on the five Windows servers in the EMEA finance subnet.

Here is what I did not do: start from scratch.

What transferred

The Wazuh manager address, the auth keys, the enrollment workflow, the alert routing rules. Those are OS-agnostic. The ossec.conf structure I tuned over three days during the Mac rollout applies to Windows with small modifications.

The detection rules I wrote for process execution, file integrity events, and privilege escalation were largely portable. Some paths changed. Some event sources changed. But the logic I already debugged did not need to be debugged again.

The graph remembered all of that. When I started the Windows rollout it surfaced the macOS project as searchable context. Adapted tasks came pre-generated. Reusable artifacts were already linked. The gaps I hit on macOS (we underscoped FIM coverage on /Library the first time) were flagged as things to check on Windows.

What did not transfer

The Windows service name is WazuhSvc, not wazuh-agent. You will feel dumb when this burns an hour. I did.

Sysmon on Windows is its own thing. The config I had from the Mac rollout was not a starting point. It was noise.

Every FIM rule that referenced a macOS path had to be rewritten. Every Mac-specific event source had to be swapped.

The part that actually mattered

Three weeks ago, halfway through the Mac rollout, I tightened the Sysmon-equivalent config to add DNS and ImageLoad events because the default config was not giving us the signal we needed on a real incident drill. I made that change on a Friday afternoon, slightly panicked, and barely documented it.

I would not have remembered to do it on the Windows rollout. It is the kind of small tuning decision that evaporates three weeks later.

The graph remembered. It carried that decision forward as a default for future Wazuh rollouts. Day one on Windows, DNS and ImageLoad events were already in the task list with context from the Mac rollout attached.

That is the part that matters. Not the artifacts. Not the tasks. The small tuning decisions you made three weeks ago that you would otherwise forget to make again.

The rule

Every rollout you ship is context for the next one. If your tooling archives the rollout when it ends, that context dies. If your tooling keeps it alive, the next similar project starts further along than the last one.

I am not starting from zero. Neither should you.

Related problem

Evidence Collection

Automated proof that what was built matches what was designed.

Read how we solve it

More from the blog

April 17, 2026

How I picked an observability platform without trusting a single demo

Three vendors, three polished demos, three curated sample environments. By the end of the week I had no real idea which one would survive a Tuesday incident. So I ran the evaluation inside my own stack instead.

April 10, 2026

Cloudflare One and Tailscale, connected

I run both. That sentence makes some people twitch. Here is why, what it took to make them actually coexist at the DNS, identity, and routing layers, and what the evaluation surfaced before anything shipped.

April 3, 2026

Vendor demos are rigged, and it is not the vendor's fault

Every vendor demo runs on a rigged environment. We do not mean dishonest. We mean set up in advance to make the product look its best. The problem is not the demo. The problem is when you mistake it for an evaluation.